tripleo

SELinux prevents tmpwatch to remove old logs

Bug #1922002 reported by Cédric Jeanneret on 2021-03-31

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	In Progress	Medium	Cédric Jeanneret	tripleo xena-3

Bug Description

(First reported as rhbz#1944466)

Summary:
SELinux prevents tmpwatch to remove files, blocking a weird need for dac_override:

type=AVC msg=audit(1612722661.648:718821): avc: denied { dac_override } for pid=621991 comm="tmpwatch" capability=1 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tclass=capability permissive=0

This leads to the following logs:

error: failed to unlink /var/log/containers/heat: heat_api.log.2.gz
[and any other variant]

After extensive tests, it seems the way cron.daily content is launched doesn't meet all the requirement for the environment, leading to the above issue. Pushing the exact same job in root's crontab solves the issue.

This is hitting osp-16.1, so we'll need to backport it down to stable/train...

Tags:

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2021-03-31:

#1

Fix for Master (and needing backports down to stable/train)
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/784008

Cédric Jeanneret (cjeanner) on 2021-03-31

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-14: Fix included in openstack/tripleo-heat-templates 12.4.3

#2

This issue was fixed in the openstack/tripleo-heat-templates 12.4.3 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-05: Fix included in openstack/tripleo-heat-templates 14.1.0

#3

This issue was fixed in the openstack/tripleo-heat-templates 14.1.0 release.

Marios Andreou (marios-b) on 2021-05-06

Changed in tripleo:
milestone:	wallaby-rc1 → xena-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-03: Fix included in openstack/tripleo-heat-templates 13.3.0

#4

This issue was fixed in the openstack/tripleo-heat-templates 13.3.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-04: Fix included in openstack/tripleo-heat-templates 11.6.0

#5

This issue was fixed in the openstack/tripleo-heat-templates 11.6.0 release.

Marios Andreou (marios-b) on 2021-06-22

Changed in tripleo:
milestone:	xena-1 → xena-2

Marios Andreou (marios-b) on 2021-07-21

Changed in tripleo:
milestone:	xena-2 → xena-3

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.